iPhone Apps Tracking Users Location Without Permission

Research conducted by Bitdefender claims that almost one in five Apple iPhone apps can access a user’s Address Book, while some 41 percent can track the users location and more than a thirds also store user data without encrypting it.

The study of more than 65,000 apps distributed widely on the Apple App Store revealed tens of thousands tap contact information and access data without explicit user permission.

While many apps clearly use these privileges to function, others have no obvious use for the data they may be collecting, ranging from accessing a user’s phone book to tracking usage. By default, apps on the App Store only ask for permission to access location-related services and not when accessing the Address Book or other functions.

Bitdefender’s analysis included 65,000 of the more popular apps in the App Store and found only 57.5 percent encrypt stored data while the rest do not, potentially placing the user’s data at risk after accessing it. Some 41.4 percent of the apps analysed can track a user’s location, meaning most iPhone owners are likely to have at least one app on their device capable of knowing where they are.

Location tracking used in contextual ads that display based on a user’s geo-location is highly controversial, yet common. This type of information can be sold to companies, helping them build effective marketing campaigns.

Bitdefender’s study did not cover all available apps so the numbers and ratios may change when extrapolated across the whole App Store.

The research also revealed 18.6 percent of the apps can access a user’s Address Book, including all contact details. The only legitimate reason for an app to access the user’s Address Book would be to transfer contacts or merge social media contact details with your on-device phone numbers. It’s unlikely almost a fifth of all apps need Address Book information to function. Chances are high many apps access Address Books without a user’s knowledge.

Bitdefender also found 30.7 percent of the apps analysed can display ads and 16.4 percent can connect to Facebook. Other functions include tracking usage through Flurry analytics, Google Analytics of Mobclix analytics. Some apps use all three analytics software. Hundreds of apps analysed also use an iPhone’s Unique Device Identifier (UDID) which can identify the owner, while hundreds more use background Voice-over-IP, Open Feint usage tracking and more.

“It is worrying stored data encryption on iOS apps is low and location tracking is so prevalent. Without notification of what an app accesses, it is difficult to control what information users give up,” said Catalin Cosoi, Chief Security Researcher at Bitdefender. “We see a worrying landscape of poor user data encryption, prevalent location tracking and silent, unjustified, Address Book access.”

Private data may be used to determine an individual’s behaviour patterns including, but not limited to, profiling for marketing activities. Collection algorithms and patterns are sometimes used to reveal much more, including user identity. There is no publicly accessible database for user education and awareness on these privacy concerns.